Adrian Hada and Mihai Vasilescu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The slides and other presentations can be found on https://def.camp/archive

1. 1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
MIRAI TO MONERO – ONE YEAR’S
WORTH OF HONEYPOT DATA
Adrian Hada, Senior Security Researcher
Mihai Vasilescu, Senior Security Researcher

2. 2© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO ARE WE?
• Senior security researchers
• Love exploits, malware, honeypots and tinkering
• Good guys
• Hope for unemployment because #securityissolved
• @ht_adrian & @me_high4eva

3. 3© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO ARE WE?

4. 4© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HONEY NETWORK
Honeypot distribution

5. 5© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT ARE ATTACKERS LIKE?

6. 6© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATTACKERS ARE...
• Persistent
• Not very fashionable
• Resourceful
• Opportunistic
• All the above
• Driven

7. 7© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HONEY NETWORK
Distribution by targets

8. 8© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
• TELNET
• SSH
• SMTP
• POP3
• IMAP
• VNC
• HTTP
• Wordpress
• Joomla
• PHPMyAdmin
• And the list goes on
Protocols

9. 9© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
• Note: one “event” is per-hour aggregation
Events
0
50000
100000
150000
200000
250000
January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18
Bucketed Brute Force Events

10. 10© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Unique IP Addresses
0
5000
10000
15000
20000
25000
30000
35000
40000
January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18
Unique IP Addresses

11. 11© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Target Prevalence
Telnet-Bruteforce
53%
SSH-Bruteforce
38%
MySQL/MSSQL Bruteforce
7%
SMTP Authentication Bruteforce
2%
Generic PHP Application Login
Bruteforce
0%
RDP-Bruteforce
0%
POP3 Bruteforce
0%
VNC Bruteforce
0%
XMLRPC sys.multicall Bruteforce
Authentication
0%
Top 10 Bruteforce Targets
Telnet-Bruteforce
SSH-Bruteforce
MySQL/MSSQL Bruteforce
SMTP Authentication Bruteforce
Generic PHP Application Login Bruteforce
RDP-Bruteforce
POP3 Bruteforce
VNC Bruteforce
XMLRPC sys.multicall Bruteforce Authentication

12. 12© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT – BRUTE FORCE
Bruteforce Stats - October 2018
Telnet-Bruteforce
SSH-Bruteforce
MySQL/MSSQL Bruteforce
VNC Bruteforce
Generic PHP Application Login
Bruteforce
RDP-Bruteforce
POP3 Bruteforce
XMLRPC sys.multicall
Bruteforce Authentication

13. 13© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PERSISTENT - CSI
• Not that many hits (aprox 6000)
• VMs, not Cisco hardware
Cisco Smart Install

14. 14© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• CVE-2013-6117
Dahua DVRs

15. 15© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• Yes, it's the WannaCry one...
ETERNALBLUE

16. 16© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NOT VERY FASHIONABLE
• It’s all fun and games
• Until you expose a DNS “open resolver”
NTP & DNS

17. 17© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker

18. 18© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker

19. 19© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker

20. 20© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESOURCEFUL
XAttacker
0
200
400
600
800
1000
1200
January-18 February-18 March-18 April-18 May-18 June-18 July-18 August-18 September-18
XAttacker Bucketed Hits

21. 21© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
OPPORTUNISTIC
Drupalgeddon[23]

22. 22© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ALL OF THESE
DLink – multiple vulnerabilities

23. 23© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ALL OF THESE
MySQL

24. 24© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Evolution of number of events
Mirai & Clones

25. 25© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Evolution of number of events
Mirai & Clones

26. 26© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Fortinet blogged: https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by-
bushido-botnet-.html
Mirai & Clones

27. 27© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Antique bot, Windows, possibly modified
• Seen via MySQL and ETERNALBLUE
Nitol

28. 28© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - DDOS
• Multiple documented families
• DDoSTF via MySQL (reported by MalwareMustDie in 2016)
• DoFloo DDoS Trojan – validate using CC decryptor from https://github.com/felicitychou/RATConf-
DecryptScript
Other Bots

29. 29© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Seen via multiple exploits
• Monero is the go-to currency
• Reuse open mining tools
• Example from ETERNALBLUE

30. 30© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Notice something strange?
certutil.exe –urlcache –split –f <url>

31. 31© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - COIN MINERS
• Technique described previously, not new
• Xavier Mertens’ ISC diary: https://isc.sans.edu/diary/rss/23517

32. 32© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN - BACKDOORS
• Main source – ETERNALBLUE
• (allegedly) Chinese backdoor - https://artemonsecurity.blogspot.com/2012/12/zegost-
analysis-of-chinese-backdoor.html
• DLL file contains download URL for executable
• Payload conf can be decrypted via RADconf-DecryptScript
Zegost Trojan

33. 33© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DRIVEN – BACKDOORS WITH A TWIST
• One sample URL downloaded 8.5M of data..
• Apparently, Themida-packed binary
• Sandbox it!
Zegost Trojan

34. 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 34© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
“IT’S 2019. THE INTERNET IS
STILL A DANGEROUS PLACE.
WHETHER WINDOWS OR LINUX.
OR MAC.”
Us,2018

35. 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 35© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

36. 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 36© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
“ATTACKERS ARE A LOT LIKE US.
IF THEY CAN BREAK THINGS, WE
CAN PROTECT THEM.”
Us,2018

37. 37© 2018 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |